i'm learning making site more secure , using mysqli's escape function sanitize input going sql queries , using htmlspecialchars() on input coming database (or get/post requests) echoing out onto page.
but, text coming database display user looks bad because characters escaped slashes , shows <br /> or \r\n instead of doing line break. can strip slashes, of course, shouldn't mysqli string escape function change escaped characters once put database?
am not supposed use htmlspecialchars sanitize output being displayed user? or should not happening (in case there must weird going on data going in)?
i still want line breaks i'm having string replace. made function below replacement htmlspecialchars(). i'm not seeing having online anywhere i'm afraid maybe i'm doing wrong. :-/
function display($data) { $new = str_replace('\r\n',"<br />",$data); $new = str_replace('\n',"<br />",$new); $new = str_replace('\r',"<br />",$new); $new = stripslashes($new); $newer = htmlspecialchars($new); $search = array('<b>', '</b>', '<i>', '</i>', '<u>', '</u>', '\r\n', '<br />'); $replace = array('<b>', '</b>', '<i>', '</i>', '<u>', '</u>', '<br />', '<br />'); $newest = str_replace($search, $replace, $newer); return $newest; } here's i'm using sanitize input going database:
function escape($data) { global $conn; connect(); $data = stripslashes($data); $data = $conn->real_escape_string($data); $conn->close(); $data = str_replace(chr(0), '', $data); return $data; } function sanitize($data) { $data = trim($data); $data = strip_tags($data); $data = escape($data); $data = htmlspecialchars($data); return $data; }
Comments
Post a Comment